FEATURE31 July 2023

Naming the end client: GDPR and data privacy

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

Features GDPR Impact Legal Privacy

Kaleke Kolawole, policy manager at MRS, explores whether you need to name the client when conducting research, as well as the challenges of doing so.

People and data abstract image

It is a conundrum, we know. Do you need to name the client when conducting research? What are the challenges of doing so and are there any exemptions?

The MRS Code of Conduct states that ‘members must disclose the identity of clients where there is a legal obligation to do so’, and states that ‘where files of identifiable individuals are used – e.g., client databases – members must ensure that the source of the personal data is revealed at an appropriate point in the data collection’.

There is an obligation to name a commissioning client in three main scenarios: 

  • Client is the data controller or joint controller
  • Client is the source of the personal data
  • Client is receiving personal data from a research activity.

Additionally, the identity of the client must be revealed when data collection is undertaken if clients require personal data from a project.

First, what is a data controller? 
The data controller determines the purposes for which, and the means by which, personal data is processed. If your company/organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. The UK General Data Protection Regulation (GDPR) draws a distinction between a ‘controller’ and a ‘processor’ to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.

The UK GDPR defines these terms:

  • ‘Controller’ means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • ‘Processor’ means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

If you are a controller, you are responsible for complying with the UK GDPR – you must be able to demonstrate compliance with the data protection principles and take appropriate technical and organisational measures to ensure your processing is carried out in line with the UK GDPR.

Naming the end client
The determination of who is a controller (DC), joint controller (JDC), data processor (DP) or third party is a question of fact rather than contractual stipulation. It is based on a determination of the purposes and means of the processing and, essentially, the level of decision-making power exercised.

Depending on the type of research project, a client may be a third party, sole data controller or joint data controller in line with the level of autonomy and responsibility the client exercises over the personal data being collected.

Similarly, a research supplier may be a processor, joint controller or sole controller. Importantly, it should be noted that receiving personal data is not the only measure for determining if you are a controller in a research project. If you set a purpose – for example, issue a commercial question to a researcher – you are rendered a controller. The key to determining the status of each party in research data collection is knowing the level of control exercised and understanding where the decision-making authority is held.

Numerous legal cases have tested whether access to identifiable data is key to determining whether a controller relationship exists. These cases have determined that an entity does not need to have access to personal data to be considered a controller. It is enough if a business determines the purposes and means of processing, has influence on the processing by causing the processing of personal data to start (and being able to make it stop), or receives the anonymous statistics based on personal data collected and processed by another entity.

What are the challenges with naming the client?
We acknowledge that naming the end client is not a favourable position to commissioners. It can erode the principle of ‘confidentiality’, introduce bias and reduce the robustness of a research project. Naming the client can also:

  • Reduce methodological rigour (e.g., bias responses where the client’s identity is known up front; adversely impact on trend data where attitudes on behaviour etc. are measured over time, as results will not be comparable)
  • “We acknowledge that naming the end client is not a favourable position to commissioners. It can erode the principle of ‘confidentiality’”
  • Contravene regulatory controls that seek to ensure there is a clear distinction between direct marketing and other activities (e.g., introducing client name may seem like disguised promotion; routing participants to promotional pages of a client may appear to be a direct marketing activity)
  • Impact on the use of methodologies such as spontaneous awareness (e.g., measuring how many participants can recall a brand name or company material without any assistance on behalf of the interviewer)
  • Impact on research that may be ‘commercially sensitive’, such as product development
  • Contribute to information fatigue, such as in omnibus surveys, which collect data for a variety of clients and may require disclosure of the names of multiple clients and their privacy policies.

Are there any exemptions?
Article 13 of the GDPR states ‘where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with: the identity and contact details of the controller and, where applicable, of the controller’s representative’.

There is no exemption or derogation from the legal obligation to name a controller – it is an absolute requirement to provide transparent information about controllers to data subjects and is in line with the GDPR principles of ‘fairness’ and ‘transparency’. However, we consider that there is some flexibility at the point at which a controller must be named.

We interpret the requirements in the GDPR on naming the data controller as providing some leeway on the point in time when the controller must be named. It is important that the data controller is named as part of the single process of collecting personal data, but this may be more appropriately done at the end, rather than at the beginning, of a survey.

  • It must be made clear to data subjects that the data controller will be named at the end of the data collection exercise.
  • Assurances must be provided to data subjects that any personal data collected will be deleted if at the point that the data controller is revealed they object, wish to withdraw their consent and/or no longer wish to participate.

This approach is most appropriate when no personal data is being shared with the end client, but researchers may also consider using it in other circumstances.

Kaleke Kolawole is policy manager at the Market Research Society

This article was first published in the July 2023 issue of Impact

0 Comments